This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Ansible created rules getting "hip-profiles is a duplicate node" when modified through GUI.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ansible created rules getting "hip-profiles is a duplicate node" when modified through GUI.

Go to solution
gangqu
L1 Bithead

‎02-17-2021 10:37 AM

Panorama is on version 10.0.1 and device is on version 9.1.x.  

 

I am able to create rules in Panorama and the rules are pushed to the device.  Everything looks fine at this point.

When I modify the rules through GUI, like adding a group tag, etc.   Panorama doesn't complain, but pushing to the device always fails with "hip-profiles is a duplicate node".  There is no HIP defined and all the rules has 'any' as 'HIP Profile'.  

 

Version differences might be what's going on here, but I would like to know what the ansbile scripts are doing to causing this issue and find a way to avoid this.

 

has anyone had simliar experience with this?

 

thanks.

8 people had this problem.
1 accepted solution

Accepted Solutions

Go to solution
davidbla
L0 Member

‎03-23-2021 08:20 AM - edited ‎03-24-2021 11:11 AM

The issue is because of the "device / hip profile" option for policies introduced in 10?.

I just was not able to find this feature in the release notes... can s/o link it?

 

Panorama knows this new kind of filter:

davidbla_0-1616512607377.png

But your firewall not.
Even if you don't configure it but change smth in the policy, panorama will add a "hip-profiles any;" to the configuration.
And the device, witch does not know about such a configuration option, somehow interprets this as "hip-profile is a duplicate node".
However it also reports back "rules is invalid".

 

I've no idea yet to fix it. I have do overwrite new changes on the firewall directly because I am not able to push this template from panorama.

 

You can easily proove it by using a configuration previev.

 

--edit

we were able to work arround things. this issue seems just to effect for cloned rules.

you can delete these lines from panoama cli before commiting to the firewalls.

View solution in original post

5 REPLIES 5

Go to solution
davidbla
L0 Member

‎03-23-2021 08:20 AM - edited ‎03-24-2021 11:11 AM

The issue is because of the "device / hip profile" option for policies introduced in 10?.

I just was not able to find this feature in the release notes... can s/o link it?

 

Panorama knows this new kind of filter:

davidbla_0-1616512607377.png

But your firewall not.
Even if you don't configure it but change smth in the policy, panorama will add a "hip-profiles any;" to the configuration.
And the device, witch does not know about such a configuration option, somehow interprets this as "hip-profile is a duplicate node".
However it also reports back "rules is invalid".

 

I've no idea yet to fix it. I have do overwrite new changes on the firewall directly because I am not able to push this template from panorama.

 

You can easily proove it by using a configuration previev.

 

--edit

we were able to work arround things. this issue seems just to effect for cloned rules.

you can delete these lines from panoama cli before commiting to the firewalls.

Go to solution
SedgwickITSupport
L0 Member
In response to davidbla

‎03-29-2021 08:09 AM

thank you, solution verified. 

Go to solution
gangqu
L1 Bithead
In response to davidbla

‎03-29-2021 08:28 AM

thanks, solution verified. 

Go to solution
davidbla
L0 Member
In response to davidbla

‎04-13-2021 02:43 AM - edited ‎04-13-2021 02:43 AM

added the WO - just to be precise:

 

 

configure
delete device-group <device group> pre-rulebase security rules "<rule name>" source-hip
delete device-group <device group> pre-rulebase security rules "<rule name>" destination-hip

 

0 Likes Likes

Go to solution
Victor.Aranda
L0 Member
In response to davidbla

‎06-22-2021 11:19 PM

For me it was:

 

delete device-group <device group> pre-rulebase security rules "<rule name>" hip-profiles
0 Likes Likes
  • 1 accepted solution
  • 7127 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks